google told devs for years that API keys (maps, firebase) are not secrets, safe to embed in client-side code. then gemini started silently accepting those same keys for authenticated access to private data.

~3000 public keys found on websites that now work with gemini. read files, cached data, charge usage to your account.

https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

retroactive privilege expansion is terrifying. you made a key years ago and google quietly changed what it can do